We plan to spend the next several posts digesting the new study. For now, some interesting key findings (please be sure to visit the links above and download the full study):

• The average organizational cost of a data breach rose to $7.2 million.
• The average cost per breached data record rose to $214 from $204 in 2009.
• Rapid response to data breaches is costing companies 54 percent more per record that a slower response.

That last point will yield some further discussion over the coming weeks. It’s been said many times that a very slow response will cost an organization dearly. But it has also been said, and is now becoming clearer, that responding too rapidly is also more damaging. There’s a fine line to walk, but walking it correctly makes a very large financial difference to a breaching organization. Preparedness is a key.

We are all creatures of habit, and an important (and good) habit to get into is having a mental checklist/procedure when you travel, for all your gadgets. You probably do this already, actually, just like you do when you get dressed for work: keys (check), cell phone (check), wallet (check) and so on–you check these items off as you get them.

And you probably have a bit of a helter-skelter checklist in your mind when going through airport security. But develop a better one–perhaps even write it down on a slip of paper that you can keep in your pocket without turning it over to security before they scan you. This is especially crucial when you’re late and hurried, a scenario that greatly increases the likelihood you’ll leave something important behind.

On page 23 of the report, we find the highlighted finding:

Thirty-six percent of all cases in this year’s study involved lost or stolen laptop computers or other mobile data-bearing devices. Data breaches concerning lost, missing or stolen laptop computers are more expensive than other incidents. Specifically, in this year’s study the per victim cost for a data breach involving a lost or stolen laptop was just under $225, over $30 more than if a laptop or mobile device was not involved.

This goes to reinforce, then, that when it rains, it really pours, where laptops and mobiles are concerned. They tend to be an all-or-nothing vector, thinking of the quantities (and often qualities) of breached data involved, and when it’s “all,” it’s an expensive incident.

Most people focus first on their most significant risks, and laptops and other mobiles certainly rank highly, both by their sheer ubiquity and also by this figure highlighted in the Ponemon study. Close the biggest holes first if you can.

And don’t forget to read the whole report if you can.

But, it goes on, “Data breaches experienced by ‘first timers’ are more expensive than those experienced by organizations that have had previous data breaches. The per victim cost for a first-time data breach was $228, versus $198 for companies that have experienced two or more incidents. This finding suggests companies that experience data breaches become more efficient at managing costs over time.”

Indeed, it’s a bit difficult to gauge this finding. On the one hand, it pays to be experienced. Data breach veterans have “been here before” and handle costs better. On the other hand, obviously that’s still no good since even a bargain cost of damage at, say, $100 per victim, is $300 per victim if it happens three times.

Organizations should keep in mind that the first time they’re hit with a data breach will likely be the most expensive time. Those are dues that simply aren’t worth paying–a club not worth joining.

Most folks aren’t surprised to hear that malicious and criminal attacks are more expensive (more damaging) than insider negligence or systems glitches, by a score of $215 to $154/$166 (page 5 of the report). In fact, the most intense focus tends to be on the “attack of the bad guys.”

According to the report, 24 percent of all breaches studied involved a malicious or criminal attack. So, from a damage standpoint, it’s very important to safeguard against such malicious, purposeful attacks.

But there’s an interesting second side to that coin. If 24 percent of cases involved a malicious or criminal attack, then presumably 76 percent did not. That is, 76 percent of cases involved insider negligence, system glitches, and so forth. So, from an odds standpoint, it’s “three times more important” to be wary of insider negligence, system glitches, and other non-malicious events.

And, the core technology used to safeguard against both malicious and non-malicious data breach is the same. Encrypted data is encrypted data, and trackable laptops are trackable, malicious intent or otherwise.

Furthermore:

Data breaches involving outsourced data to third parties, especially when the third party is offshore, were most costly. This could be due to additional investigation and consulting fees. The cost per compromised record for data breaches involving third parties was $217 versus $194, more than a $21 difference.

Indeed, it’s crucial to ensure that security policies and procedures take into account that third-party contractors, consultants, and other vendors can often be the weak link in a chain. You can always fire that third-party that breaches your customers’ data, but what good does that really do? It’s crucial to safeguard information both in-house and when it is shared with third parties.

According to the report, the leadership of a CISO or equivalent position substantially reduces the overall cost of data breaches (page 4). The study indicates that companies who have an experienced “point person” to manage the response to a data breach experienced an astounding 50 percent reduction in data breach cost.

Who you have on your team could make a difference of millions of dollars in a single breach incident. Leadership in high-pressure or at least high-stakes circumstances is priceless. Just ask any major pro sports team.

Consider ahead of time what your business will do in the unfortunate event that you find yourself saddled with a data breach. Who will be in charge? What authority will he have? What experience in dealing with such cases does she have? What resources can he command?

Just as we continually beat the drum of “preparedness” from a technology standpoint, to avoid a breach altogether, we also must trumpet the tune of “preparedness” for a data breach response. And that begins with key leadership in that time of need.

Do you have it?

The average cost per breached data record rose $2 in 2009, to $204.  That’s actually not too bad. The average cost of a breach was $6.75 million, compared to $6.65 million in 2008.

PC World has a good article to summarize, and thanks to lyger at DataLossDB for the pointer.

Not very many businesses are taking serious note of the fact that, on average, they have $6.75 million laptops walking around out there. For those who are, our hats are off.

Here’s an interesting excerpt:

“Overall, 42% of all cases in the Ponemon data-breach study involved third-party mistakes and flubs. In addition, more than 82% of the cases in the Ponemon study were organizations that had more than one data breach in 2009 involving the loss or theft of more than 1,000 records containing personal information. At about 40% of the companies that participated in the study, the chief information security officer (CISO) was in charge of managing the response related to the data breach.”

And how about the maximum data breach cost in the study? $31 million.

That’s a rather expensive laptop, and probably worth a few dollars to protect instead. (Note: the breach may actually have been the result of something other than a lost/stolen laptop, such as a network break-in).

The least expensive breach? $750,000. That beats $31 million, but $750k is still a pretty penny to pay, compared to protection.

Many thanks to Ponemon and PGP for another excellent study.

Kelly Jackson Higgins’ article at Dark Reading gives a good summary.

And, in the United States, the situation is even worse, with only 40 percent of US IT and security pros believing their CEOs to be security supporters. When it comes to compliance with regulations, “US firms were also less inclined to consider compliance helpful to security of their endpoints.”

This report is both quite troubling and very unsurprising. It models the philosophies that produce what we see in the real world: data breaches are quite commonplace, decent security is quite achievable, and most businesses just don’t really care (until they discover the hard way). It is quite akin to a widespread lack of interest in wearing seat belts, with only those who experience accidents and are “already dead” deciding that, sure enough, it’s not very hard to buckle a seat belt yet the benefits are enormous.

Many businesses have a department, or at least a group or individual, that handles security. (Note that the report also exposes a woeful lack of collaboration with this section of the business). Yet “the security department” or IT department in general tends to find that upper management just doesn’t “buy in” with security efforts.

Thus, in my view (not necessarily the report’s), it seems good to let the upper management take a serious fall when (not if) breaches happen. They choose not to support the buckling of seat belts, because it’s “not important” or at least not a priority. It’s only fair that their necks be on the line during the next “accident.”

The report itself can be found here. Thanks also go to Redemtech.

LA Weekly picked up on the fact that LAX is the worst spot of them all, with 1,200 laptops per week lost or stolen there. Doing the math, that’s another laptop lost or stolen every 8.4 minutes at this one airport alone. Obviously that’s a very steep number. That’s 62,400 laptops per year. The space it would take merely to store all those laptops in a “lost and found room” is staggering.

It’s worth noting a recent Tip of the Week here at MyLaptopGPS that involved airport travel. Using a TSA-approved laptop bag is a great way to help reduce your chances of being the next loss or theft victim, because using the right bag means the laptop doesn’t have to be taken out in the security checkpoint line. That’s one less thing to remember to retrieve while you’re scrambling to re-tie your shoes and get to your gate on time. Every little bit helps.

12,000 laptops per week at US airports alone.
1,200 laptops per week at one single US airport alone.
12 seconds per theft worldwide (overall).

The number 12 is eerily significant.